This Week in Security: Enemy of The Privacy State

How One Company Is Tracking 10 Million Smartphones

A recent study by two college students focusing on how individuals spent less time with opposing political party family members during Thanksgiving, has exposed the deep tracking capabilities of a small company named SafeGraph.

In what is hauntingly familiar to the Carrier IQ scandal, this relatively under-the-radar company has been collecting data on 10,000,000 smartphones and is able to identify 17,000,000,000,000 (that is 17 trillion) unique location points that people spend time at.

To fuel this massive data collection scheme, SafeGraph appears to use several sources to collect data. The primary source appears to be application developers themselves, where they incentivize developers creating location aware apps – like that innocent looking weather app or any app that requires you to turn on GPS to use it. By luring these developers into using their API, they are given free GPS location lookup and data points to enrich their own data while in turn their data and requests go to SafeGraph.

Alternatively, SafeGraph has also implemented their tracking data in third parties as well, basically allowing any application that may do lookups or use location data to send back to them even if not directly. In addition to “a device’s precise geographic location,” SafeGraph states they will also collect “other mobile identifiers such as Apple’s Identifier for Advertisers (IDFA), Google Android IDs, and other information about users and their devices,” according to their privacy policy.

With $16M in investment this year, it seems that SafeGraph is a force that will continue to thrive in an environment where users are being more open about sharing the data location in order to get location data, special features and unlockable items in apps.

Furthermore, the creepiness factor is cranked up to 11 by a recent blog post detailing their location collecting kit, OpenLocate. In this post, SafeGraph stated “OpenLocate is founded on the belief that developers should have complete control over how location data is collected on their users.”

Before you stuff your mobile device’s SIM card in a NEC Turbo Express game system to avoid being tracked, users who are concerned about this invasive service and others like it can opt out of location data collection and ad services on their mobile devices.

Users should always question a device’s capabilities and identify when an application is overstepping its bounds, e.g., a wallpaper application shouldn’t be asking for your location data. If an application is suspect, it’s often better to be safe than sorry and to uninstall the app to prevent your “anonymized” data from being collected and analyzed by two college kids or anyone else who has access to the data.

Lost In The Ethereal – Parity’s Post Mortem Reveals Avoidable Disaster  

Parity, the company behind the permanent lock up of hundreds of millions of Ethereum funds, has released a post mortem analysis of the events that led up to the disaster. After a massive hack prior to July, Parity pushed out new code which included support for multi-signature Ethereum wallets. The now internet famous user Devops199 was poking around this code and called the function ‘initWallet’ on a wallet which had no owner.

After this was successful, this lovely individual decided to call ‘kill’ on the wallet, thus destroying it permanently. This led to the destruction of a critical code library for Parity multi-signature wallets and freezing the funds they all contained, about $150M estimated by Parity.

However, where this really gets interesting is from a user’s comment on Parity’s GitHub code from August. The user 3esmit attempted to alert the company of the exact flaw that caused this issue; stating “BTW, when you deploy WalletLibrary, the init function will be open in the contract. I recommend you calling initWallet on WalletLibrary right after its deploy, just to ensure no one will use it.” This being the exact flaw that caused the fiasco, mind you. Additionally, in their tell-all, Parity admitted that there was never a formal audit of its code; they relied on an internal review and community reviews to ensure its safety.

As of today, Parity is desperately attempting to deploy a fix to unfreeze the assets in the multi-wallets that were affected by the hack. However, of the all the proposals, the most promising also appears to be the most painful – which requires a hard fork of the currency. This would be similar to the 2016 fork, which formed Ethereum Classic.

Right now with cryptocurrencies being an especially volatile commodity, the stability and reliability of developers, blockchains, and wallets mean the difference between $0.00001 and $7800 per crypto-coin.